rprf Menu

About

Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

September 25, 2017

Fed Payments Webinar Series Launching

One of the comments we consistently received when we conducted the Mobile Banking/Payments Survey last fall was the desire for the Atlanta Federal Reserve to provide more educational opportunities on current payment technologies and issues. Not only have small and mid-sized financial institutions expressed this need, but so have consumer advocacy groups and law enforcement agencies. Educational efforts, along with research, on payment risk issues are at the core of the Retail Payments Risk Forum's overall mission.

In response to these requests, the Risk Forum is launching a webinar series called Talk About Payments (TAP). The TAP webinars will supplement this blog, forums and conferences we convene, and other works we publish on the Forum's web pages. The current plan is for the webinars to be presented once a quarter. Financial institutions, retailers, payment processors, law enforcement, academia, and other payment system stakeholders are all welcome to participate in the webinars. Participants can submit questions during the event.

We will have our first webinar—titled "How Safe Are Mobile Payments?"—on Thursday, October 5, from 1 to 2 p.m. (ET). The webinar will cover such topics as mcommerce growth, mobile wallets, tokenization, fraud attack points, and risk mitigation tools and tactics.

Participation in the webinar is complimentary, but you must register in advance. To register, go to the TAP webinar web page. After you complete your registration, you will receive a confirmation email with all the log-in and toll-free call-in information.

We hope you will join us for our first webinar on October 5, and for our future webinars. If there are any particular topics you would like for us to cover in future webinars, please let us know.

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

September 18, 2017

The Rising Cost of Remittances to Mexico Bucks a Trend

From time to time, I like to look back at previous Risk Forum activities and see what payment topics we've covered and consider whether we should revisit any. In September 2012, the Risk Forum hosted the Symposium on 1073: Exploring the Final Remittance Transfer Rule and Path Forward. Seeing that almost five years have passed since that event, I decided I'd take another, deeper look to better understand some of the effects that Section 1073 of the Dodd-Frank Act has had on remittances since then. I wrote about some of my findings in a paper.

As a result of my deeper look, I found an industry that has been rife with change since the implementation of Section 1073 rules, from both a regulatory and technology perspective. Emerging companies have entered the landscape, new digital products have appeared, and several traditional financial institutions have exited the remittance industry. In the midst of this change, consumers' average cost to send remittances has declined.

Conversely, the cost to send remittances within the largest corridor, United States–Mexico, is rising. The rising cost is not attributable to the direct remittance fee paid to an agent or digital provider but rather to the exchange rate margin, which is the exchange rate markup applied to the consumer's remittance over the interbank exchange rate. As remittances become more digitalized and the role of in-person agents diminishes, I expect the exchange rate margin portion of the total cost of remittance to continue to grow.

Even though the average cost of sending remittances to Mexico is on the rise, I found that consumers have access to a number of low-cost options. The spread between the highest-cost remittance options and the lowest-cost options is significant.

With greater transparency than ever before in the remittance industry, consumers now have the ability to find and use low-cost remittance options across a wide variety of provider types and product options. To read more about the cost and availability of remittances from the United States to Mexico and beyond in a post-1073-rule world, you can find the paper here.

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

January 30, 2017

Pssst…Have You Heard about PSD2?

No, I'm not talking about the latest next-generation video gaming console. I am referring to the revised Directive on Payment Services (PSD2) that the European Parliament adopted in October 2015 and that will serve as the legal foundation for a single market for European Union (EU) payments. The original PSD was adopted in 2007 but, according to official statements, the Parliament found that an update was necessary to incorporate new types of payment services, improve consumer protection, strengthen payment transaction security, and increase competitiveness with an expected result of lower consumer fees in the payments processing market. PSD2 applies only to digital payments and must be in force in all EU countries by January 13, 2018.

The directive and subsequent implementation rules that the European Banking Authority* is developing make a number of major changes in the European banking landscape, including:

Opens up the regulated financial services system to merchants and processors who might initiate payments on their consumer customer's behalf as well as data aggregator firms. In particular, PSD2 will apply to any financial institutions already operating within the scope of the PSD but will also apply to third parties such as operators of e-commerce marketplaces, gift card and loyalty plans, bill payment service providers, public communication networks, account access services, mobile wallets, and those who receive payment by direct debit.

Requires financial institutions, upon the request of their customers, to allow these approved nonbank, third parties significant, but not unlimited, access to the customer's account and transaction data through APIs (application program interfaces). Many financial institutions see having to turn over customer data to potential competitors as a significant threat to the retention of their customer's business as well as concerns with data security.

Sets out two-factor customer authentication as an absolute minimum, with additional security such as one-time passwords required for higher-value transactions. The card issuer must actively authenticate all transactions above 10 euros. Critics of these provisions point out that the criminals will have fixed transaction amounts and authentication methodology information to modify their attacks.

Supplementing card interchange limits imposed in December 2015, prevents merchants from adding surcharges to payment card transactions. Under the original directive, each country established rules regarding surcharging on card payments. It has been a common practice of European merchants to levy a surcharge on payment card transactions to offset the interchange fee paid to issuers.

While such a comprehensive single package of regulations is unlikely to occur in the United States, various flavors of these items have been and continue to be discussed. Do you favor such types of regulation here in the United States? I suspect the answer depends on your role in the payments ecosystem. I am interested in hearing from you.

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

January 17, 2017

Expanding Cybersecurity

Payments people start biting their nails when they hear "share more with more." They have been conditioned to keep payments information from ever being shared. But that is in the context of protecting legitimate payments system users from losing money while a fraudulent party benefits. At 7,000 members, the Financial Services Information Sharing and Analysis Center (FS-ISAC) is currently the largest financial services trade association in the world. I attended their Fall Summit last October, a month fittingly designated National Cybersecurity Awareness Month, and heard plenty about sharing. The mission of FS-ISAC is always strength in sharing; this year's summit focused on expanding the trust.

Payments people are used to looking for fraud by way of chargebacks and returns, one payment-channel silo at a time. Shhh. Don't let ACH people share information with wire people, and vice versa—the risk department will let us know if there is an issue. Of course, payments fraud is an ever-increasing battle, and we must remain vigilant. However, who is prepared to recognize payment events that from a bird's-eye view may look legitimate but, when analyzed, point to a threat of mass destruction?

Recent distributed denial-of-service (DDoSs) attacks highlight the scale of network bandwidth that can be unleashed on connected systems. Payments are just that, a network of systems that connect every aspect of our economy. There are countless examples of services or goods not being rendered when payments aren't received. Liquidity failures do tend to cause a state of panic. Even attacking one specific sector such as payroll processing on the first of the month could lead to disaster. As my colleague pointed out in a July 2016 blog, cash is alive and well, but payments systems today rely totally on telecommunications, which rely on our power grid.

Admiral James Stavridis, the keynote speaker at the FS-ISAC Summit, echoed the importance of expanding trust, along with the need to increase the resiliency of the nation in the event of a cyber-incident. Stavridis provided many encouraging solutions, one being that it is time for a cyber-force branch of the military. The United States Air Force was formed as a separate branch of the military in September 1947 under the National Security Act of 1947 as aerial warfare advanced. Stavridis proposed that now is the time for us to consider that cyber-incidents could be used as weapons of mass destruction. He applauded the current combat against cybercrime, yet encouraged new thought on what could be in store and how quickly it could arrive.

How do payments people continue down the path of protecting individual players while simultaneously protecting the nation from a crippling cyber-incident? It could be just a matter of whom you invite to the table. As I saw with attendance at the FS-ISAC Summit, the cybersecurity conversation needs to include diverse skill sets. There has been a trend in moving information security departments away from their information technology partners and under the risk and compliance umbrella so they can remain unbiased when scrutinizing payment transaction red flags and other systems. Additionally, legal barriers are being reevaluated to ensure that law enforcement can access information, most notably by FinCEN expanding Suspicious Activity Report requirements to include cyber events.

And, more deeply about whom we are trusting at the table, are we actually expanding the information shared? Could we make correlations by looking at payment volumes together with cyber activity and reports of fraud?

There is a growing sense that payment security equates to cybersecurity and national security. With Stavridis and others promoting the movement for "expanding the trust," new ideas continue to emerge. Hopefully, the technologies and strategies that are made to wow us (for example, the internet-of-things, machine learning, and the distributed ledger) can also serve to unite and protect us.

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

November 21, 2016

Are Mobile Phone Payments Secure?

A consistent and leading reason consumers give as to why they don't use their mobile phone to make payments is their concern about the phone's level of security. While many consumers don't believe that mobile payments are as safe as other payment methods, is that actually the case? For more than six years, the Federal Reserve Banks of Atlanta and Boston have been supporting the Mobile Payments Industry Workgroup (MPIW). The MPIW was created to facilitate the development of a vision for a mobile payments environment that will be effective, secure, and ubiquitous. This group has met frequently to address the issues of technology, standards, security, privacy, functionality, regulation, and adoption barriers. The various deliverables from past MPIW meetings focus on security and risk and can be found on the Federal Reserve Bank of Boston's website.

As this blog has noted numerous times over the last two years, the migration to chip cards for in-person POS payments will shift more fraud over to the card-not-present (CNP) market. With the introduction of numerous mobile wallets since 2014 that can be enabled on smartphones, the MPIW believed that an assessment should be made of the risk issues associated with commerce generated through the mobile phone—or m-commerce—whether through a browser or a specific wallet application. Over the last eight months, Fed representatives and mobile payment experts have been working on the development of a white paper, which was released on November 8. You can access the full report here.

The MPIW's report provides an assessment and the future position of mobile payments as a part of the overall e-commerce growth expected in the United States. It groups the various types of remote mobile payments into four use cases and dissects the transaction flow for each use case with a description of the potential risk attacks in each key function of the transaction. We believe the report provides the payments industry with a sound primer of mobile wallet transaction security issues. While there are attack points in the mobile phone channel just as there are in other payment channels, the mobile phone offers features that can make a mobile payment transaction much more secure than many people currently believe. The MPIW will continue to assess the mobile CNP payments environment and produce presentations and other materials intended to educate the industry and consumers.

You can find additional MPIW white papers and other publications on the MPIW web page.

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

October 11, 2016

Taking a Quantum Leap into Payment Security

It was 1969, and the only thing hotter than muscle cars was space exploration. Several of my elementary school books found ways to talk about space, astronauts, NASA, or all of them, and more than one almost guardedly indicated that someday man may even reach the moon. Those of you who recall black-and-white TV might remember watching the moon landing live in the summer of '69.

Despite all that was speculated and wondered about at the time—from extraterrestrials to moon colonies—the space race had been "won." There followed a decline in related interests and, ultimately, a moderating of investment in basic scientific research. One of those sciences, quantum research, is of particular note in regards to potential commercialization for computing and communications. And we're behind like we were in the space race in the early 1960s.

NASA research and development (R&D) appropriations in 1959 were about $200 million. By 1966, R&D totaled almost $5 billion, according to the NASA Historical Data Book for 1958–1968. U.S. federal funding for quantum research each year is just barely what space R&D totaled in 1959. Those numbers offer their own stark contrast, but I'll add one other point of comparison—between what we're spending in this area versus China—one of only three countries to ever soft land on the moon, and now the first to launch a quantum communications satellite. Their annual funding has been conservatively estimated at over $10 billion, according to the Wall Street Journal.

To explain why a payment blogger cares about all this, I'll ask a couple of questions. What would it be worth to have a payment scheme based on "unhackable" communication? Impossible? Maybe not.

Quantum communication is secure against computing because its encryption relies on physics, not math. Josh Chin's August 16 article in the Wall Street Journal explained it this way:

Quantum encryption is secure…because information encoded in a quantum particle is destroyed as soon as it is measured. Gregoir Ribordy…likened it to sending a message written on a soap bubble. "If someone tries to intercept it when it's being transmitted, by touching it, they make it burst," he said.

There are critics. U.S. security experts have questioned whether intricacies of quantum communication can be simplified enough for practical, broad use. Others have stipulated that it's possible for hackers to trick incautious recipients. Indeed, this blogger has espoused the idea that nothing is infallible against a determined criminal. But it's hard to argue the advance wouldn't change the game. One might speculate that quantum communication could yield results similar to those described in the etiological tale of the Tower of Babel where languages were confused. Mischief wasn't halted for all time, but altering communication put some pacing on misbehavior. Changing the game, wholesale, is worth considering as the evidence is overwhelming that we're losing in payment security by making changes at the margin to current schemes, methods, and processes.

I'll close with this. Substantial sums of federal money were spent on infrastructure, R&D, policing, and defense owing to the space race. I think most will agree we got our money's worth, especially considering that aside from stated objectives, investing in the space race gave us everything from microchips to satellite navigation—and let us not forget CorningWare. Investing in quantum research holds similar promise, and payment security might benefit from some catch-up.

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

February 1, 2016

Putting All Our Payment Eggs in a Single Basket

More than 60 percent of risk managers at financial services firms believe the probability of a global, "high-impact event" has increased of late, according to a new survey from the Depository Trust & Clearing Corporation. Worry over actual or potential cyberattacks underpins this belief. In a discussion about the survey, a colleague lamented the invention of computers and wished that our financial transactions hadn't become so dependent on technology. At first I thought to agree until it dawned on me that this thinking is tantamount to tossing the baby with the bathwater.

The problem revolves around thieves, not their tools. We have never been free from worry over theft, and this was true when our best computer was an abacus. When the Aztecs used chocolate for money, counterfeiters of the day took the cacao bean, separated the original contents from the husk, and repacked it with mud. And still, in any place where commerce is overly cash-based, thieves tend to concentrate their efforts, targeting the most vulnerable with everything from counterfeit notes to outright theft. The digital age did not usher in larceny; thieves have always stolen, and hiding from computers won't insulate us from bad guys.

But hold up, you say. A block chain—the part of bitcoin technology that ensures anonymity—just might insulate you. Not to take away hope, but what have we ever invented that hasn't been hacked, cracked, or abused? I can think of nothing, no matter how cleverly conceived or well defended, that isn't eventually defeated.

I don't despair over it all and will say why in a moment, but first I need to note that even with a long list of advances, both in how and what we exchange, the new has not eradicated the old. Coins survived the advent of paper. And despite decades-old, recurring predictions of their looming demise, both coins and paper have survived the magic of computing. As a result, despair gives way to cheer. There are options, and plenty of them.

Options—different forms of payments based on diverse platforms and premises—make for textbook risk mitigation. First of all, what survives gets better. It must so that it can survive. Consider what bills look like today, with their numerous anticounterfeiting elements, compared to what they looked like 20 years ago. Or consider when checks dominated fraud conversations and contrast that to their relative (un)importance in fraud conversations today. Moreover, multiple payment channels and options mean less concentration of risk. To the extent that cash, checks, and more remain—"cyberstuff" too, but with the cyber-world diversified, not overly consolidated—risk can be spread and hence reduced.

An advanced society that wants to endure, stay resilient and strong cannot rely on only one means of exchange based on only one platform. For those wishing for one or just fewer, more modern payment solutions (with apologies to all paper haters), my advice is be careful what you wish for. For the average consumer, my advice is pay attention to the "payments intelligentsia" and be wary of pushes for an advanced, universal, singular way to do payments. Be particularly wary of changes that aren't being called for by the market itself. We can never eliminate risk but we can mitigate it and minimize the extent that bad people can create widespread trouble.

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

September 14, 2015

The Cost of Free Wi-Fi

When I was a teenager, my friends and I were often on the prowl for bargain restaurant offers. The all-you-can-eat buffet at our local Chinese restaurant was a favorite, but every so often we would discover a "free meal deal." We were once reminded by my friend's dad that "nothing in life is free." That quote left a lasting impression on me.

The validity of this quote was hammered home recently during a security discussion I had with a friend on connectivity to the Internet through free public Wi-Fi. Though free public Wi-Fi is, well, free, it has "soft" costs tied to the lack of security in the connection. And these soft causes can quickly lead to the "hard" costs of fraud—from theft of personal information, user names and passwords, or payment credentials, since hackers are easily able to intercept data transmitted over the Wi-Fi network. Beyond this method, which involves a legitimate network, fraudsters can also deploy rogue Wi-Fi networks for the sole purpose of stealing information. And then, once they have that information, the fraudster can use it to access your accounts under your identity.

This does not mean that people shouldn't use free or public Wi-Fi. When I am away from my home, whether I'm at a local coffee shop or on the road at a hotel, I often seek locations with free Wi-Fi. Apparently, I am not the only one. A recent survey by a U.K. hotel chain found that free Wi-Fi was the most important factor for its customers when choosing a hotel. Free Wi-Fi even ranked higher than a good night's sleep!

However, using free public Wi-Fi and trusting it are two different things. It should never be trusted, and therefore users should do everything to protect themselves and their information. Before joining a free public Wi-Fi network, users should ensure that it is a legitimate network offered by a legitimate entity such as a business, municipality, hotel, or airport. Criminals often will use deceptive Wi-Fi names to trick users into choosing bogus Wi-Fi networks, so users should pay close attention to signage promoting Wi-Fi networks or ask staff for help in identifying legitimate networks. The Federal Trade Commission offers detailed advice on protecting yourself against Wi-Fi security risks once you are connected, including:

Use a virtual private network, or VPN.

Use SSL-encrypted connections by enabling the "Always Use HTTPS" website option.

Turn off file sharing.

These risks are not just limited to free public Wi-Fi networks. They are also inherent to any public Wi-Fi network, including paid networks such as the in-flight Wi-Fi that many airlines offer. It is imperative that users of public networks take the necessary steps to safeguard their information, especially while conducting financial transactions. As free public Wi-Fi spots continue to proliferate and more financial transactions move to connected devices, rest assured that fraudsters will continue to exploit this communications channel. Educating users on how to protect themselves using public Wi-Fi is critical to safeguarding financial information.

What are you doing to bring awareness to your customers about public Wi-Fi risks?

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

July 20, 2015

Unsafe at Any Speed?

If you're a Corvair enthusiast, you likely get the title's reference to Ralph Nader's book that polemically accused manufacturers of resistance to the advancement of automotive safety. Shift your thoughts from automobiles, axles, and bumpers to payments, cyberattacks and data breaches. Then consider this question—if we successfully speed up payments, is payment safety more likely to advance or retreat?

I hear the question often. Since I first blogged about this topic in January, I've attended several conferences set in the context of building a better, faster, more efficient payments system. If the conversation hasn't gone straight to "safety," the topic has surely been broached before closing. The answers that presenters offer, in terms of how we make payments more secure, remain unchanged from earlier this year. The updated summary follows.

Innovate. Make full use of such things as biometrics and tokenization. Do not fear but rather make use of the best things coming from the cryptocurrency world.

Collaborate and coordinate. Share everything, taking full advantage of groups of all types to facilitate deployment and spread of best practices, among other things.

Prevent and plan. In a continuous and ever-improving activity, make use of such things as enhanced threat detection and continue to layer security measures. Also, educate fully, across the spectrum of both providers and users.

Track and report. We must do more of this in a frank, transparent way and it must be timelier.

Emphasizing and pursuing all these goals is still right in my view, yet something seems missing. I believe what's missing is a more expansive, easily accessible law enforcement regime—something that more closely parallels what's available for conventional crime fighting.

There has been good news, of late, in that various law enforcement agencies have both apprehended and successfully prosecuted cybercriminals of all sorts. What's important about this is, as law enforcement has more success, there is hope that miscreants will have an increasing expectation of getting caught. Let's assume a drop in crime rates is highly correlated to the likelihood or certainty of being caught. Self-test the theory by thinking of it this way. How often do you exceed the speed limit (answer silently to yourself). Now consider—how often do you speed when a patrol car is in the lane right next to you? It's imperative that law enforcement continue to evolve and improve such that the criminals who contemplate cybercrime increasingly anticipate they'll be caught.

The cliché that faster payments will mean faster fraud if we don't have faster security is somewhat beside the point. The fact is cybercrime has been and remains a material and looming threat. The world is all but fully a digital one and that means our police have to be able to put more—and more effective—digital patrol cars on the digital highway. Until then, to varying extents, payments are likely to be unsafe—at any speed.

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

February 17, 2015

Introducing Take On Payments

Maybe you've already noticed it—it's at the top of this web page—but we've got a new name: Take On Payments, or TOP, for short. It's a change we made after a great deal of thought, internal discussion, and input from others. In our many presentations over the last year to payments-related groups consisting of financial institutions, merchants, processors, technology vendors, consumers, and regulators, we always promoted our blog. We put a great deal of effort into every post, and view the blog as an important channel to communicate to the payments industry on timely, risk-related payment topics in what we hope is an educational and thought-provoking way.

However, we were frequently asked about the significance of the name Portals and Rails. The majority of people get the "rails" part since that term is often used to refer to the payments infrastructure—such as in the phrase "riding the check rails." The "portals" part is more of a mystery. People aren't sure if we intend to use it with its generally accepted meaning—that is, an entranceway—or as a reference to a website, which provides information and links to other sites.

So we undertook an evaluation of alternative names that would more clearly identify the purpose for our posts, and we eventually chose Take On Payments. Yes, it's a bit of a play on the words as you can use "take" in a couple of different ways. First, you can think of it as a noun, as in the word "viewpoint." That was our primary thrust since we work hard to provide our perspective on the various payments issues and their risk-related factors. Second, you can also think of "take" as a verb, as in "assume possession of," since we are charged with the responsibility of engaging the entire payments community about payments risk issues. Finally, we like the acronym TOP—we hope Take On Payments will be at the top of your reading list.

In the end, a name is just a name, and we understand that the content of the blog is what is really important to our readers. While the Portals and Rails name has left the station for a final time, our commitment to providing the payments industry with timely and informative content to encourage thought-provoking dialogue about payments risk remains unchanged. As always, we encourage your feedback and hope you will encourage your colleagues to subscribe as well.

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.